And yet another one from the mind of Lohkee!
From: Lohkee (Lohkee@worldnet.att.net)
Date: 01/18/03
- Next message: Karl Levinson [x y] mvp: "Re: And yet another one from the mind of Lohkee!"
- Previous message: Thor Kottelin: "Re: denying access to the Administrator"
- Next in thread: Karl Levinson [x y] mvp: "Re: And yet another one from the mind of Lohkee!"
- Reply: Karl Levinson [x y] mvp: "Re: And yet another one from the mind of Lohkee!"
- Reply: Martin Ireland: "Re: And yet another one from the mind of Lohkee!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Lohkee" <Lohkee@worldnet.att.net> Date: Sat, 18 Jan 2003 18:53:07 GMT
Here is another one of my ramblings for your amusement. I am, as always,
very interested in (and appreciative of) feedback. The rules are the same
as before, i.e., I will only respond to serious comment on the paper:
questions/clarification regarding a particular point, technical
inaccuracies, things that should be added, things that should be deleted,
etc. (just don't have the time to do indulge the trolls these days - sorry
losers).
Internet Content Blocking Software (DRAFT FOR COMMENT)
Copyright (C) by Lohkee
All Rights Reserved
Just fifteen minutes of recreational surfing per day can cost a company with
five hundred employees ($25.00/hour/employee) over $800,000 per year in lost
productivity. Some organizations that allow employees to surf the net have
learned the hard way that doing so greatly increases the risk of unfavorable
litigation (hostile work environment, various types of discrimination,
sexual harassment, etc.). Others have discovered how much bandwidth can be
diverted from critical business needs by a just few employees downloading
their favorite MP3 files. Some have even seen their networks crash as a
result of an employee downloading hostile code and running it on their
workstation. And the list goes on. Personal use of the Internet creates
numerous very serious problems for an organization. One of the more popular
solutions within the professional security community is the use of content
filtering software.
Content filtering software attempts to block access to inappropriate
websites by matching the address of the website requested by a user against
a database of websites that have been categorized by type of the content
they offer. Some add a dynamic component that attempts to categorize
requests "on the fly" in an effort to compensate for the dynamic nature of
the Internet, i.e., the requested website has not yet been categorized and
put into the database. Like many other so-called "state of the art"
solutions offered by the professional security community that do not really
solve a problem, this is another idea that sounds fairly reasonable (the
absolutely ridiculous price of these products notwithstanding) until you
start taking it apart.
Content filtering software is generally based on a negative database model;
if the web site requested by a user is not in the product's database of
prohibited destinations the filtering software has no choice but to pass it
through. Obviously then, the accuracy of the monitoring database is
paramount to the quality of the product. There is nothing wrong with
negative databases, per se, however they do not work at all well in dynamic
environments, particularly in those that are as fluid as the Internet. It
is virtually impossible to maintain any semblance of an accurate database
when the data involved is subject to rapid and constant change. There are
three reasons for this. The first involves the sheer volume of data and is
self-explanatory. The second is that you have to first know about the
existence of a web site before you can categorize it. The third is that,
once categorized, a given web site must continue to exist and remain
constant in terms of content to be relevant, i.e., a database of web sites
that no longer exist is pretty much worthless.
One of the more expensive products on the market claims to have categorized
more than 900 million web pages. This sounds pretty impressive until you
compare the size of the filter's monitoring database to the size of the
Internet which has been estimated by researches to contain over 550 billion
pages with 7.5 million new ones being added each day (no one really knows
how many web sites change their names or are taken down each day).
Essentially, this product has categorized less than two tenths of one
percent of the content freely available to anyone on the Internet and there
is no guarantee that all of the web sites in their monitoring database even
still exist. With 99.8% of Internet content still available to the employee
it is a pretty safe bet that you have not solved, or even addressed in any
meaningful way, any of the problems enumerated in the first paragraph. Not
bad for a product than can easily cost the organization cost over $25,000!
And this is a good deal?
In addition to not working well in dynamic environments, negative models are
more difficult to defend in terms of adverse actions for inappropriate
conduct. The organization blocks access to inappropriate sites, therefore,
if a given site is not blocked it is reasonable to conclude that access is
permitted. Any other line of reasoning burdens the employee with the
impossible task of being able to read management's mind at any given point
in time with regard to a particular web site. This problem is further
compounded by a rather interesting conundrum inherent to the use of a
negative database; how can you hold someone accountable for attempting to
access a prohibited web site when they have no way of knowing that it is
prohibited until after the fact? The typical response to this question
(albeit simple minded and technologically ignorant) is that the employee
should know a given site is inappropriate by its very name. Unfortunately,
in many cases the content of a website is not readily apparent by its URL
(name), for example: www.whitehouse.com is a very well known porn site,
whereas, www.whitehouse.gov is the home page for the United States
government. Another closely related issue is that web sites often mix
content, for example: The Register (www.theregister.co.uk) is an excellent
source of industry related information that often also contains material
many would consider to be inappropriate. Let us not forget that
pornographers are famous for hijacking links to popular mainstream web
sites. The user clicks on what he thinks is a "legitimate" website and
then, without warning, twenty windows appear on his screen displaying porn!
Unfortunately, the system's audit trail will show that the user attempted to
access each of these sites. Perhaps the pertinent question is not whether
you can make an adverse action stick, but how much it will have cost by the
time your attorney advises you to settle out of court because you have
inadvertently accused an innocent person. While we are on the subject of
being sued, how much will it cost you to settle a discrimination suit if you
allow employees to access Christian web pages but prohibit access to Wiccan
web pages? Both are, after all, legitimate established religions in the
United States.
Connecting mission critical production systems to the Internet is a very bad
idea. Allowing employees to surf the net at work is even worse. The risks
are great with no tangible return on investment. That being said, the above
issues can be easily addressed without spending a fortune, by simply
reversing the paradigm and using a positive database. This approach works
by allowing only those requests that have been pre-authorized and is
therefore extremely effective in highly fluid environments such as the
Internet. Best of all, it is essentially FREE! Most firewalls, and many
operating systems, have the ability to block outbound traffic based on
predefined rules. Non-business (work-related) sites, such as banks, etc.,
could be added to the "approved" list by request after they have been
reviewed for content thus enabling employees to conduct personal business
such as banking, filling prescriptions, etc., while at work. This process
is not as labor intensive as it might first appear, even for very large
organizations. Suppose, for example, that you want employees to have access
to the daily news. You do not have to make a rule for every news site on
the web. Simply make a rule for a few of the major networks such as ABC,
NBC, CBS, CNN, etc. People will squawk and some will try to argue that they
might be missing "critical" information when searching the net. As a
general rule this is simply not true. One does not need access to every
site dealing with a particular subject when access to one or two of the
major subject matter sites will suffice. There will also be the few who
need access to some obscure web site. No problem, have them submit the
site's address to the administrator through their manager. The point here
is not to deny access to information, rather to ensure that the information
is appropriate and does not put the organization at risk. True, employees
will no longer be able to "surf at will" but so what? Contrary to popular
opinion, Internet access at work is a privilege, not a right. Protecting
your business, on the other hand, is! One method of making the transition
relatively painless is to analyze your audit trails and build a list of
approved sites. Do not automatically add every site you find. Categorize
them by content and then add only the major providers. When the rules goes
into effect many, particularly those who do not abuse the Internet, will
never notice the difference. The initial setup will take about two weeks,
however, that cost pales in comparison to spending several thousand dollars
for products that will never work well (and take about a week to install).
You will be surprised how small your database of approved sites is. Even in
very large organizations it is unlike to exceed fifteen hundred items and
can easily be less than one hundred.
Comparing the two methods side by side is a real eye-opener:
Negative: Very expensive.
Positive: Essentially FREE
Negative: Mandatory long term relationship with the vendor.
Positive: No external relationship required.
Negative: Frequent updates to very large database.
Positive: Infrequent updates to a very small database.
Negative: Low coverage, inherently inaccurate.
Positive: Complete coverage, extremely accurate.
Negative: Does not save bandwidth.
Positive: Does save bandwidth.
Negative: Inherently discriminatory.
Positive: Not discriminatory.
Negative: Not effective in reducing lost productivity.
Positive: Enhances productivity.
Negative: Creates enforcement problems.
Positive: Eliminates enforcement problems.
Negative: Threat is not appreciably reduced.
Positive: Threat is greatly reduced.
Negative: Method inconsistent with principal of “least privilege”
Positive: Method consistent with principal of “least privilege.
Negative: Often requires additional hardware.
Positive: Does not require additional hardware.
Negative: Does not promote security.
Positive: Promotes security.
You can pay thousands of dollars for a so-called "solution" that does not
really solve a problem, or you can save your money and implement one that
does. The choice is yours.
Lohkee!
- Next message: Karl Levinson [x y] mvp: "Re: And yet another one from the mind of Lohkee!"
- Previous message: Thor Kottelin: "Re: denying access to the Administrator"
- Next in thread: Karl Levinson [x y] mvp: "Re: And yet another one from the mind of Lohkee!"
- Reply: Karl Levinson [x y] mvp: "Re: And yet another one from the mind of Lohkee!"
- Reply: Martin Ireland: "Re: And yet another one from the mind of Lohkee!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
